Re: SQL INJECTION - ORACLE
From: Kevin Spett (kspett@spidynamics.com)Date: 12/11/01
- Previous message: foo bar: "SQL INJECTION - ORACLE"
- In reply to: foo bar: "SQL INJECTION - ORACLE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kevin Spett" <kspett@spidynamics.com> To: "foo bar" <badb0t@hotmail.com>, <pen-test@securityfocus.com> Date: Mon, 10 Dec 2001 15:51:43 -0800
First of all:
> Input: ') from getpolicynumber -- "'"
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80004005'
>
> [Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function,
> package, or type is not allowed here
There is no magical comment character in Oracle. -- is only good in SQL
Server.
> [Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong
number
> or types of arguments in call to 'GETPOLICYNUMBER'
Hmmm, looks like your input is going to a user defined stored procedure.
That could mean that you're out of luck.
Try seeing if using a subselect or a union works. Here are some examples:
Subselect: (SELECT blah FROM bleh WHERE 1=1)
Union: ') UNION SELECT blah, blah, blah FROM bleh WHERE (''='
I've got a paper on the way soon that'll go into detail on these things.
Kevin Spett
Czar of SQL Injection
SPI Dynamics, Inc.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: foo bar: "SQL INJECTION - ORACLE"
- In reply to: foo bar: "SQL INJECTION - ORACLE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
